Driver/Minifilter Signing Query - 64 bit

NTFSD
1

Hello,

We have a minifilter driver that is working in 32 bit os,but not working in
64 bit os(XP,Vista,Windows 7),

How do we sign drivers for XP,VISTA and WINDOWS 7 in 64 bit edition?

What we are doing now to sign driver/minifilter is:

we tried to sign driver using selfsign_example.cmd in
C:\WinDDK\6001.18001\bin\SelfSign folder. and try following set of commands:

  1. make TestCert.cer using following command
    Makecert -r -pe -ss PrivateCertStore -n "CN=TestCertforWDK" TestCert.cer

  2. create a CAT file for driver package from inf file
    inf2cat.exe /driver:d:\testcert /os:Vista_x86,Vista_X64,XP_X64

  3. sign cat file using
    SignTool sign /s PrivateCertStore d:\testcert\klfm.cat

  4. sign .sys file using
    SignTool sign /s PrivateCertStore d:\testcert\klfm.sys

  5. install certificate in proper location
    certmgr.exe -add %CERTDIR%\testcert.cer -s -r localMachine root
    certmgr.exe -add %CERTDIR%\testcert.cer -s -r localMachine
    trustedpublisher

Problms we are facing:

try to load driver in XP 64 bit system using fltmc load command it failed
with following error:
Load failed with error: 0x800704fb
This driver has been blocked from loading

and in WINDOWS 7 64 bit system
Load failed with error: 0x80070241
Windows cannot verify the digital signature for this file. A recent hardware
or software change
might have installed a file that is signed incorrectly or damaged, or that
might be malicious
software from an unknown source.

Second way of signing driver/minifilter is:

also tried with batch file given in
http://www.osronline.com/showThread.cfm?link=143925

it gives following output and certutil.exe is failed

Problms we are facing in Second way:

STARTED ...

IMPORTING CERTIFICATE ...

"C:\WINDDK\6001.18001\bin\SelfSign\certutil.exe" -user -p "1234" -importPFX
C:\certificateNew\MyCert.pfx
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
313.3409.0: 0x80070056 (WIN32: 86)
313.3471.0: 0x80070056 (WIN32: 86)
CertUtil: -importPFX command FAILED: 0x80070056 (WIN32: 86)
CertUtil: The specified network password is not correct.
301.3128.0: 0x80070056 (WIN32: 86)

SIGNING EXECUTABLE ...

"C:\WINDDK\6001.18001\bin\SelfSign\signtool.exe" sign /v /ac
C:\certificateNew\MyCert.cer /s my /n "CN Value" /t
http://timestamp.verisign.com/scripts/timestamp.dllC:\certificateNew\KLFM.sys
SignTool Error: No certificates were found that met all the given criteria.

Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1

FAILURE :frowning:

please help

2

Do you have a code signing certificate that works for kernel mode
signing? (at this point, I believe only Verisign and GlobalSign issue
them). Test signing will only work on a test system where it is enabled,
it will not work on end-user systems.
The certificate must be installed in the local certificate store,
and you need to use it by name:
Signtool sign /v /ac INTERMEDIATE_CERTIFICATE.cer /s my /n
“Certificate name” /t
http://timestamp.verisign.com/scripts/timestamp.dll DRIVER_FILE_NAME
You can get the intermediate certificate from MS:
http://msdn.microsoft.com/en-us/windows/hardware/gg487315

Regards, Dejan.

Nisha Mudra Patel wrote:

Part 1.1Type: Plain Text (text/plain)


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

3

Here’s the list of things I do to sign my driver:

All the following is executed from /Projects/mydriver/

— Creating the self cert —
makecert -pe -ss PrivateCertStore -n CN=mycompany.com -r mycompany.cer

— Add the cert to trusted root —
certmgr.exe /add mycompany.cer /s /r localMachine root

— Create the CAT file —
inf2cat /v /driver:c:\projects\mydriver /os:7_X86

— Sign the cat file —
signtool sign /v /s PrivateCertStore /n mycompany.com /t “http://timestamp.verisign.com/scripts/timstamp.dll” mydriver.cat

— Verify the signature and all —
signtool verify /pa /v /c mydriver.cat mydriver.inf

— Sign the driver in case the above stuff don’t work —
signtool sign /v /s PrivateCertStore /n mycompany.com /t “http://timestamp.verisign.com/scripts/timstamp.dll” chk_win7_x86\i386\mydriver.sys

Hope this helps

4

Again, this will work on a system where test signing is enabled, not on a regular production system.

xxxxx@fireeye.com wrote:

Here’s the list of things I do to sign my driver:

All the following is executed from /Projects/mydriver/

— Creating the self cert —
makecert -pe -ss PrivateCertStore -n CN=mycompany.com -r mycompany.cer

— Add the cert to trusted root —
certmgr.exe /add mycompany.cer /s /r localMachine root

— Create the CAT file —
inf2cat /v /driver:c:\projects\mydriver /os:7_X86

— Sign the cat file —
signtool sign /v /s PrivateCertStore /n mycompany.com /t “http://timestamp.verisign.com/scripts/timstamp.dll” mydriver.cat

— Verify the signature and all —
signtool verify /pa /v /c mydriver.cat mydriver.inf

— Sign the driver in case the above stuff don’t work —
signtool sign /v /s PrivateCertStore /n mycompany.com /t “http://timestamp.verisign.com/scripts/timstamp.dll” chk_win7_x86\i386\mydriver.sys

Hope this helps

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.